Security

Last updated: April 2026

The short version

We take security seriously even though we're a free app. Your password is hashed with bcrypt, all traffic is encrypted, and we follow OWASP guidelines. Here's exactly how we protect your data.

Authentication

✓

Passwords hashed with bcrypt

Your password is never stored in plain text. We use bcrypt with a high cost factor, which is the industry standard for password hashing. Even if our database were compromised, your password would be extremely difficult to recover.

✓

Breached password detection

When you set a password, we check it against the Have I Been Pwned database using k-anonymity — your full password is never sent to any external service. If your password has appeared in a known data breach, we'll ask you to pick a different one.

✓

JWT authentication

Sessions use signed JSON Web Tokens that expire after 7 days. Tokens are verified on every API request. If a token is tampered with, it's rejected immediately.

✓

Signed RSVP links

The one-click RSVP links in your emails use HMAC-signed tokens. They can't be forged or modified — each link is cryptographically tied to a specific player, event, and response.

Data in transit

✓

HTTPS everywhere

All traffic between your browser and our servers is encrypted with TLS. We enforce HSTS (HTTP Strict Transport Security) so your browser always uses HTTPS, even if you type http://.

✓

Security headers

Every response includes security headers: content type protection, clickjacking prevention, referrer policy controls, and restrictions on browser APIs we don't use (camera, microphone, geolocation).

Access control

✓

Role-based permissions

Every API endpoint checks your role before allowing actions. Organizers, captains, and players each have different access levels. These checks happen server-side — the client can't bypass them.

✓

Group isolation

You can only access data from groups you belong to. Every database query is scoped to your group membership. There's no way to view or modify another group's data.

✓

Rate limiting

Authentication endpoints (login, registration, password reset) are rate-limited to prevent brute force attacks.

Data at rest

✓

Minimal data collection

We only store what's needed to run your hockey group. No tracking data, no behavioral profiles, no advertising identifiers.

✓

Audit logging

Security-relevant actions (logins, permission changes, data mutations) are logged with structured audit records for accountability.

✓

No plain-text secrets

API keys, tokens, and passwords are never stored in plain text. Reset tokens are hashed before storage — even we can't read them.

What we don't store

✕ Plain-text passwords

✕ Credit card numbers

✕ IP addresses in user records

✕ Browser fingerprints

✕ Location data

✕ Cookies or tracking identifiers

Found a vulnerability?

If you discover a security issue, please report it responsibly. Don't post it publicly — use the form below and we'll work with you to fix it.

We'll acknowledge your report within 48 hours and keep you updated on the fix.

Keeping your account safe

→ Use a strong, unique password — at least 8 characters. Length matters more than complexity.

→ Don't reuse your BeerHockey password on other sites.

→ If you get a password reset email you didn't request, ignore it — someone may have typed your email by mistake.

→ Sign out on shared or public computers.

→ If you think your account has been compromised, reset your password immediately.

Security questions or concerns?

Privacy Terms Cookies Security